Main Vulnerability Database Vulnerabilities #VU132066

Incorrect Regular Expression in Symfony - CVE-2026-45065

Published: May 21, 2026

Vulnerability identifier: #VU132066

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-45065

CWE-ID: CWE-185

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SensioLabs

Affected software:
Symfony

Detailed vulnerability description

The vulnerability allows a remote attacker to redirect users to an untrusted site.

The vulnerability exists due to incorrect regular expression handling in UrlGenerator when validating route parameter values against regex alternation requirements during URL generation. A remote attacker can supply a crafted parameter value that passes validation and produces a protocol-relative URL to redirect users to an untrusted site.

The issue occurs because anchoring applies only to the first and last alternatives in an ungrouped alternation pattern.

How to mitigate CVE-2026-45065

Install security update from vendor's website.

Incorrect Regular Expression in Symfony - CVE-2026-45065

Detailed vulnerability description

How to mitigate CVE-2026-45065

Sources

Please verify you're human